diff options
author | Treehugger Robot | 2018-03-29 14:54:04 -0500 |
---|---|---|
committer | Gerrit Code Review | 2018-03-29 14:54:04 -0500 |
commit | 9a76c280d64099411c6ebbbdf5e410232cce9c0e (patch) | |
tree | fdd8d50099cff211d2aa6d88301602132e947c40 | |
parent | 2c36eb6d91730ff77dd26393763a93d6ca1eb202 (diff) | |
parent | 832a7042b0f977b6b0eead33b0265813832b06ed (diff) | |
download | system-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.tar.gz system-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.tar.xz system-sepolicy-9a76c280d64099411c6ebbbdf5e410232cce9c0e.zip |
Merge "Suppress harmless denials for file creation in cgroupfs."
-rw-r--r-- | private/init.te | 5 | ||||
-rw-r--r-- | private/zygote.te | 5 | ||||
-rw-r--r-- | public/domain.te | 7 |
3 files changed, 17 insertions, 0 deletions
diff --git a/private/init.te b/private/init.te index 54648650..50b1c94c 100644 --- a/private/init.te +++ b/private/init.te | |||
@@ -25,3 +25,8 @@ userdebug_or_eng(` | |||
25 | # Sometimes we have to write to non-existent files to avoid conditional | 25 | # Sometimes we have to write to non-existent files to avoid conditional |
26 | # init behavior. See b/35303861 for an example. | 26 | # init behavior. See b/35303861 for an example. |
27 | dontaudit init sysfs:dir write; | 27 | dontaudit init sysfs:dir write; |
28 | |||
29 | # Suppress false positives when using O_CREAT | ||
30 | # to open a file that already exists. | ||
31 | # There's a neverallow rule for this in domain.te | ||
32 | dontaudit init cgroup:file create; | ||
diff --git a/private/zygote.te b/private/zygote.te index 4ea401dc..ab707f15 100644 --- a/private/zygote.te +++ b/private/zygote.te | |||
@@ -134,3 +134,8 @@ neverallow zygote { | |||
134 | 134 | ||
135 | # Do not allow access to Bluetooth-related system properties and files | 135 | # Do not allow access to Bluetooth-related system properties and files |
136 | neverallow zygote bluetooth_prop:file create_file_perms; | 136 | neverallow zygote bluetooth_prop:file create_file_perms; |
137 | |||
138 | # Suppress false positives when using O_CREAT | ||
139 | # to open a file that already exists. | ||
140 | # There's a neverallow rule for this in domain.te | ||
141 | dontaudit zygote cgroup:file create; | ||
diff --git a/public/domain.te b/public/domain.te index 0027efa3..06526482 100644 --- a/public/domain.te +++ b/public/domain.te | |||
@@ -1331,6 +1331,13 @@ neverallow domain { | |||
1331 | sysfs_type | 1331 | sysfs_type |
1332 | }:dir { add_name create link remove_name rename reparent rmdir write }; | 1332 | }:dir { add_name create link remove_name rename reparent rmdir write }; |
1333 | 1333 | ||
1334 | # cgroupfs directories can be created, but not files within them | ||
1335 | # TODO(b/74182216): Remove the installd allow when we're sure it's not used | ||
1336 | neverallow { | ||
1337 | domain | ||
1338 | -installd | ||
1339 | } cgroup:file create; | ||
1340 | |||
1334 | dontaudit domain proc_type:dir write; | 1341 | dontaudit domain proc_type:dir write; |
1335 | dontaudit domain sysfs_type:dir write; | 1342 | dontaudit domain sysfs_type:dir write; |
1336 | 1343 | ||